Loading Malicious Javascript from a Font

Loading malicious Javascript from a “benign” file isn’t a new thing, but using a Font file is. Spotted a WOFF file with a malicious payload in the wild. As we’ve seen before when using a PNG, the file is requested using a fetch and then the non-Javascript part of the file is sliced away. A link to the code below: https://gist.github.com/krautface/897f077ab5fd64af2ee1a280be5b91de

The code removes the first 44,040 characters and then remaining part is used to create a new Function, which is then executed.

In the partly deobfuscated code you can start to see what it’s actually doing if you look at Line 630:

Farther down, you can see the exfil URLs and that it supports both standard GET and websockets:

A key thing with this type of technique is that it’s very abnormal to see a fetch request to an image, font, or any other normally binary file. So if you are monitoring sites and you see something like this, it’s worth investigating.

A modified version of this was originally posted on Twitter:
https://twitter.com/AffableKraut/status/1425204207431344132

This entry was posted in Infosec, Magecart and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *